Magnitude EK Looks to Succeed Blackhole as Top Exploit Kit

In the wake of the arrest of the creator of the Blackhole Exploit Kit, there was a bit of a power vacuum left behind as cyber-criminals scrambled to move their blackhat activities to uncompromised platforms. According to new research, the Magnitude exploit kit has benefitted, and now commands 31% of the exploit kit market to be poised to unseat Blackhole as the Big Kahuna of EKs.

According to Trustwave’s Global Security Report, analysis of the growing tool reveals that Magnitude’s operations are generating a weekly income of $60,000 and have affected hundreds of thousands of users in more than 50 countries worldwide.

Magnitude, formerly known as PopAds, was first seen at the beginning of 2013.

“Magnitude’s prevalence has led some security researchers to refer to it as ‘the new Blackhole.’” Explained Trustwave in its report. “A contributing factor to this is that the group behind the Cutwail spambot now uses Magnitude instead of Blackhole for propagation purposes.”

Other kits are out there, of course: The Redkit exploit kit, for instance. It’s had a bit of a rollercoaster ride; it was one of the leading kits in 2012, but saw an overall fall in prevalence in 2013 to reach just 6% of the market.

“In October, however, its frequency jumped and continued at a high rate through the end of 2013,” Trustwave said. “Like Magnitude, we expect Redkit to help fill the demand created by the declining use of Blackhole.”

Neutrino, Styx and Sweet Orange are other popular EKs.

“An exploit kit’s main purpose is to help infect as many machines as possible without detection. The latter is mainly what makes each exploit kit unique—the obfuscation and evasion methods used to elude security products,” explained Trustwave.

It’s worth noting thought that Blackhole will not go gently into that good night: it remained the most prevalent exploit kit at the end of 2013 at 49%—just 15% less than in 2012.

“While Blackhole maintained its first-place ranking with 49 percent prevalence in 2013, the October arrest of its creator, nicknamed Paunch, brought on a decline in its usage, compared to 2012’s 60 percent prevalence, due to a lack of updates and an increase in detection rates,” Trustwave said in the report. “We suspect that without anyone taking ownership of the kit, it will eventually disappear.”

Meanwhile Cool, another exploit kit allegedly developed by Paunch and his crew, was developed as a premium offering consisting of higher-grade exploits, including zero-days. But now, it comprises just 6% of the total EK market.

“Its $10,000 rental price far exceeded Blackhole’s monthly $500 to $700 fee,” Trustwave said. “However, Cool has practically disappeared from our telemetry since last October for many of the same reasons Blackhole’s prevalence declined.”

All of that said, EK use tends to ebb and flow thanks to copycat functionality. “For example, almost every Java vulnerability discovered in an exploit kit during 2013 was also spotted in at least one more active exploit kit within the following week,” Trustwave said in the report. “For example CVE-2013-1493, a Java flaw that worked on both version 1.6 and 1.7, was first observed in the Cool exploit kit on March 8 and found its way into other active exploit kits around the same time. Within the span of one month, eight different exploit kits that comprised the majority of active kits during that time each included an exploit for this vulnerability. Many of these were nearly exact copies of one another in terms of the exploit itself. Trustwave observed this repeating pattern throughout the year with several other Java vulnerabilities.”

What’s Hot on Infosecurity Magazine?